{"id":500,"date":"2016-09-28T19:44:43","date_gmt":"2016-09-28T19:44:43","guid":{"rendered":"http:\/\/blog.mozilla.org\/webqa\/?p=500"},"modified":"2016-09-28T19:44:43","modified_gmt":"2016-09-28T19:44:43","slug":"further-enhancements-and-capabilities-added-to-my-dockerzap-cli-scriptjenkins-integration","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/fxtesteng\/2016\/09\/28\/further-enhancements-and-capabilities-added-to-my-dockerzap-cli-scriptjenkins-integration\/","title":{"rendered":"Further enhancements and capabilities added to my Docker+ZAP-CLI script\/Jenkins integration"},"content":{"rendered":"<p>Since my <a href=\"https:\/\/blog.mozilla.org\/webqa\/2016\/07\/07\/tough-lessons-learned-from-integrating-docker-zap-cli-and-jenkins\/\">third follow-up post<\/a> on my Docker + OWASP <a href=\"https:\/\/github.com\/Grunny\/zap-cli\">ZAP-CLI<\/a> + Jenkins work &#8212; most of which lies in my <a href=\"https:\/\/github.com\/stephendonner\/docker-zap\">docker-zap GitHub repo<\/a>, I&#8217;ve made both small and key improvements, which I&#8217;d like to highlight, here:<\/p>\n<ol>\n<li>fixed the hardcoded <code>sleep 20<\/code> call, and instead use the provided <code>status<\/code> flag\/state, so we only start running the ZAP-CLI when the daemon\/API is ready (<a href=\"https:\/\/github.com\/stephendonner\/docker-zap\/issues\/1\">https:\/\/github.com\/stephendonner\/docker-zap\/issues\/1<\/a>)<\/li>\n<li>instead of a statically-specified host in the shell script, we pass in a variable (with a default <code>TARGET_URL<\/code> in the accompanying Jenkins job config, that is easily overridden by entering a new value in the build-job prompt (<a href=\"https:\/\/github.com\/stephendonner\/docker-zap\/issues\/4\">https:\/\/github.com\/stephendonner\/docker-zap\/issues\/4<\/a>)<\/li>\n<li>I now use the provided <code>alerts<\/code> command to output a nice, easy-to-read table if there are found issues &#8212; complete with the following (<a href=\"https:\/\/github.com\/stephendonner\/docker-zap\/issues\/10\">https:\/\/github.com\/stephendonner\/docker-zap\/issues\/10<\/a>):\n<ol>\n<li>type of alert\/issue<\/li>\n<li>risk<\/li>\n<li><a href=\"https:\/\/cwe.mitre.org\/about\/faq.html#B.2\">CWE ID<\/a> (Common Weakness Enumeration)<\/li>\n<li>URL<\/li>\n<\/ol>\n<\/li>\n<li>because the aim in this particular instance&#8217;s use is to try to find Web-application vulnerabilities throughout development cycles (including post-release), I now invoke <code>ATTACK mode<\/code> upon start-up of ZAP itself (<a href=\"https:\/\/github.com\/stephendonner\/docker-zap\/issues\/12\">https:\/\/github.com\/stephendonner\/docker-zap\/issues\/12<\/a>)<\/li>\n<li>a minor addition, for clarity, is that I&#8217;ve added a separator between the ZAP-CLI&#8217;s output and the full, raw engine&#8217;s log (<a href=\"https:\/\/github.com\/stephendonner\/docker-zap\/issues\/13\">https:\/\/github.com\/stephendonner\/docker-zap\/issues\/13<\/a>)<\/li>\n<\/ol>\n<p>Here&#8217;s sample output: <a href=\"http:\/\/pastebin.com\/bLmKkMws\">http:\/\/pastebin.com\/bLmKkMws<\/a><\/p>\n<p>And a high-level overview in my <a href=\"https:\/\/youtu.be\/hz4fGVeVfHA\">Docker-ZAP-CLI screencast<\/a>.<\/p>\n<p>I&#8217;m still anticipating wider adoption and integration of ZAP, whether that&#8217;s through my particular setup, or something else, so please feel free to contribute pull requests and ask\/answer questions, etc., preferably through <a href=\"https:\/\/github.com\/stephendonner\/docker-zap\/issues\">GitHub Issues<\/a>.<\/p>\n<p>Thanks!<\/p>\n<p><a href=\"https:\/\/mozillians.org\/en-US\/u\/stephend\/\">Stephen<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Since my third follow-up post on my Docker + OWASP ZAP-CLI + Jenkins work &#8212; most of which lies in my docker-zap GitHub repo, I&#8217;ve made both small and key &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/fxtesteng\/2016\/09\/28\/further-enhancements-and-capabilities-added-to-my-dockerzap-cli-scriptjenkins-integration\/\">Read more<\/a><\/p>\n","protected":false},"author":512,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[228,278094,542,31342,4553,69,265,278096],"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/fxtesteng\/wp-json\/wp\/v2\/posts\/500"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/fxtesteng\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/fxtesteng\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/fxtesteng\/wp-json\/wp\/v2\/users\/512"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/fxtesteng\/wp-json\/wp\/v2\/comments?post=500"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/fxtesteng\/wp-json\/wp\/v2\/posts\/500\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/fxtesteng\/wp-json\/wp\/v2\/media?parent=500"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/fxtesteng\/wp-json\/wp\/v2\/categories?post=500"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/fxtesteng\/wp-json\/wp\/v2\/tags?post=500"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}